Sun Microsystems plans to move its website authentication and single sign-on technologies to open source. The technologies willbecome part of the company's newly-created Open Source Web Single Sign-On (OpenSSO) project. Sun hopes the move will encourage Java developers to build more secure applications featuring identity management.

"It's a way to move the market forward and fundamentally change the conversation people are having" to be less about identity management application suites and more about ID management services, said Eric Leach, Sun's director of product management for identity management. "To date, they have been arguing about the length and width of the railroad ties instead of laying down tracks and getting the trains running."

Sun also intends to release the source code for agents to connect the website authentication and Web SSO technologies with its Java System Web Server and its Java System Application Server, Leach said.

The company will taking all three pieces of source code - authentication, single sign-on and agents - into the open-source world following the release of version 7.0 of its Java System Access Manager security software in the fall, Leach said. Read-only source code will be available at the start of 2006, he added, with Sun offering the full source code under the CDDL (Common Development and Distribution License) shortly afterwards.

Sun will host an OpenSSO community Web site on its website at, Leach said. The site will provide developers with information including roadmaps, sample code, documentation and tutorials.

John Loiacono, executive vice president of Sun's software group, made the OpenSSO announcement Wednesday during a speech at the Burton Group's Catalyst Conference in San Diego.

The move marks Sun's third major foray into open sourcing its software. Last month, at the JavaOne conference in San Francisco, Sun announced plans to put its Java System Application Server Platform Edition and its Java Business Integration specification under the CDDL, while back in January the company released OpenSolaris, an open-source version of its operating system, also under the CDDL.

Earl Perkins, an analyst with market research company Gartner, sees Sun's move as a way to get more exposure for its software, which hasn't been widely adopted by corporations. "It's a way of bringing it into the light for consideration by enterprises," he said.

Sun's Leach doesn't deny that. "I certainly hope that's one of the effects," he said.

Today's identity and access management market is dominated by Computer Associates' Netegrity SiteMinder and RSA Security's ClearTrust, Gartner's Perkins said. Other strong players' products include IBM's Tivoli Access Manager, Oracle's Oblix COREid, Entrust's GetAccess, Novell's iChain and Bull Evidian's Secure Access Manager, he added.

Large vendors have been scrambling over each other to buy up identity management technologies, with RSA and Entrust the only two players still standing while CA and other have gobbled up their peers, Perkins said.

Open sourcing its ID and access management software is a clever move by Sun since it comes at a time when the technologies are beginning to become commoditised, according to Perkins "You're starting to see the basic functions [appearing] in application server and portal products and in different types of suites and stack products," he said. "Sun's recognizing that its extranet access management product may have a somewhat limited shelf life."

Sun's Leach doesn't believe Sun is likely to face off against the existing open-source ID management player, Shibboleth, a set of open-source tools, scripts and routines. Shibboleth is primarily used by universities and other educational institutions, while Sun's efforts are focused on corporations, he said.